b' DEPARTMENT OF HOMELAND SECURITY\n      Office of Inspector General\n\n\n\n      Technical Security Evaluation of \n\n      U.S. Immigration and Customs \n\n       Enforcement Activities at the \n\n      Chet Holifield Federal Building \n\n                (Redacted) \n\n\n\n\n\n        Notice: The Department of Homeland Security, Office of the Inspector\n        General, has redacted this report for public release. A review under the\n        Freedom of Information Act (5 U.S.C. 552) will be conducted upon request.\n\n\n\n\nOIG-08-59                                                        May 2008\n\x0c                                                         Office of Inspector General\n                                                         U.S. Department of Homeland Security\n                                                         Washington, DC 20528\n\n\n\n\n                                     May 28, 2008\n\n                                         Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the implementation of technical and information security policies\nand procedures at U.S. Immigration and Customs Enforcement locations at the Chet\nHolifield Federal Building, Laguna Niguel, California. It is based on interviews with\nemployees and officials of relevant agencies and institutions, direct observations, and\nreviews of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. It is\nour hope that this report will result in more effective, efficient, and economical\noperations. We express our appreciation to all of those who contributed to the\npreparation of this report.\n\n\n\n\n                                            Richard L. Skinner \n\n                                            Inspector General \n\n\n\n\n\n.\n\x0cTable of Contents/Abbreviations \n\n\n\n\nExecutive Summary ............................................................................................................ 1 \n\n\nBackground ......................................................................................................................... 2 \n\n\nResults of Review ............................................................................................................... 4\n\n\n\n      Systems Did Not Comply Fully With DHS Operational Control Requirements ........ 4 \n\n      Recommendations ....................................................................................................... 6 \n\n      Management Comments and OIG Analysis................................................................ 7\n\n\n      Systems Did Not Comply Fully With DHS Technical Control Requirements ........... 7 \n\n      Recommendations ....................................................................................................... 9 \n\n      Management Comments and OIG Analysis.............................................................. 10\n\n\n      Systems Did Not Comply Fully With DHS Management Control Requirements .... 10 \n\n      Recommendations ..................................................................................................... 13 \n\n      Management Comments and OIG Analysis.............................................................. 13\n\n\nAppendices\n\n     Appendix A:             Purpose, Scope, and Methodology .....................................................14 \n\n     Appendix B:             Management Comments to Draft Report ...........................................16 \n\n     Appendix C:             ICE Novell Servers with Known Vulnerabilities ...............................20 \n\n     Appendix D:             ICE Windows Servers with Known Vulnerabilities ..........................21 \n\n     Appendix E:             Certification and Accreditation Status ..............................................23 \n\n     Appendix F:             Status of Privacy Compliance Activities for ICE Systems ................24 \n\n     Appendix G:             Major Contributors to This Report.....................................................25 \n\n     Appendix H:             Report Distribution ............................................................................26 \n\n\n\n\n\n.\n\x0cTable of Contents/Abbreviations \n\n\n\nAbbreviations\n    ACL                   Administrative Center Laguna\n    ATO                   Authorization to Operate\n    CHFB                  Chet Holifield Federal Building\n    CIO                   Chief Information Officer\n    CISO                  Chief Information Security Officer\n    CSIRC                 Computer Security Incident Response Center\n    DAA                   Designated Accrediting Authority\n    DHS                   Department of Homeland Security\n    DHS Directive 4300A   DHS Sensitive Systems Policy Directive 4300A\n    DHS 4300A Handbook    DHS 4300A Sensitive Systems Handbook\n    FISMA                 Federal Information Security Management Act\n    HVAC                  Heating, Ventilation, and Air Conditioning\n    ICE                   Immigration and Customs Enforcement\n    IT                    Information Technology\n    OIG                   Office of Inspector General\n    OIT                   Office of Information Technology\n    TA-FISMA              Trusted Agent FISMA\n    USCIS                 U.S. Citizenship and Immigration Services\n\n\n\n\n.\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                      We initiated a program to determine the extent to which critical\n                      Department of Homeland Security sites comply with the\n                      department\xe2\x80\x99s technical and information security policies and\n                      procedures. Based on our internal analysis, we selected the Chet\n                      Holifield Federal Building located in Laguna Niguel, California,\n                      where U.S. Immigration and Customs Enforcement operates the\n                      West Area Information Technology Field Operations office.\n\n                      Our evaluation focused on how Immigration and Customs\n                      Enforcement has implemented computer security operational,\n                      technical, and management controls for its information technology\n                      resources at this site. We performed onsite inspections of the areas\n                      where these resources were located, interviewed department staff,\n                      and conducted technical tests of internal controls, e.g., scans for\n                      wireless networks. We also reviewed applicable department\n                      policies, procedures, and other appropriate documentation.\n\n                      The information technology security controls implemented at this\n                      site have deficiencies that, if exploited, could result in the loss of\n                      confidentiality, integrity, and availability of their information\n                      technology systems. Specifically, Immigration and Customs\n                      Enforcement needs to improve its physical security,\n                      environmental, and business continuity controls for its computer\n                      room and telecommunications closets. Immigration and Customs\n                      Enforcement also could improve its technical controls by installing\n                      the latest patches, disabling unnecessary ports, and by improving\n                      network configuration. Additionally, management controls could\n                      be improved by implementing procedures to identify and\n                      disconnect unused telecommunications lines and by completing all\n                      required certification and accreditation activities. Management\n                      concurred with all our 10 recommendations and is taking action to\n                      resolve them.\n\n\n\n\n      Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                          (Redacted)\n\n                                             Page 1\n\x0cBackground\n                     We designed our Technical Security Evaluation Program to\n                     provide senior Department of Homeland Security (DHS) officials\n                     with timely information on whether they had adequately\n                     implemented DHS information technology (IT) security policies at\n                     critical sites. Our program is based on DHS Sensitive Systems\n                     Policy Directive 4300A (DHS Directive 4300A), which applies to\n                     all DHS components and provides direction to managers and\n                     senior executives regarding the management and protection of\n                     sensitive systems. DHS Directive 4300A also outlines policies\n                     relating to the operational, technical, and management controls that\n                     are necessary for ensuring confidentiality, integrity, availability,\n                     authenticity, and nonrepudiation within the DHS IT infrastructure\n                     and operations. A companion document\xe2\x80\x94the DHS 4300A\n                     Sensitive Systems Handbook (DHS 4300A Handbook)\xe2\x80\x94provides\n                     detailed guidance on the implementation of these policies.\n\n                     DHS IT security policies are organized under management,\n                     operational, and technical controls. According to DHS Directive\n                     4300A, these controls are defined as follows:\n\n                              \xe2\x80\xa2\t Operational Controls \xe2\x80\x93 Focus on mechanisms\n                                 primarily implemented and executed by people. These\n                                 controls are designed to improve the security of a\n                                 particular system, or group of systems. These controls\n                                 require technical or specialized expertise and often rely\n                                 on management and technical controls.\n\n                                                          **********\n\n                              \xe2\x80\xa2\t Technical Controls \xe2\x80\x93 Focus on security controls\n                                 executed by IT systems. These controls provide\n                                 automated protection from unauthorized access or\n                                 misuse. They facilitate detection of security violations,\n                                 and support security requirements for applications and\n                                 data.\n\n                                                          **********\n\n                              \xe2\x80\xa2\t Management Controls \xe2\x80\x93 Focus on managing both the\n                                 IT security system and system risk. These controls\n                                 consist of risk mitigation techniques and concerns\n                                 normally addressed by management.\n\n\n     Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                         (Redacted)\n\n                                            Page 2\n\x0c                Based on our internal analysis, we selected the Chet Holifield\n                Federal Building (CHFB) located in Laguna Niguel, California,\n                where the U.S. Immigration and Customs Enforcement\xe2\x80\x99s (ICE)\n                West Area 2 Field Operations office is located. The\n                U.S. Citizenship and Immigration Services (USCIS) and\n                U.S. Customs and Border Protection also operate in this facility,\n                and their activities are addressed in separate evaluation reports.\n\n\n\n\nTechnical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                    (Redacted)\n\n                                       Page 3\n\x0cResults of Review\n\n     Systems Did Not Comply Fully With DHS Operational Control\n     Requirements\n                      Some operational controls that ICE implemented at CHFB did not\n                      conform to DHS policies; these included physical security,\n                      environmental controls, and business continuity. Together, these\n                      deficiencies could place at risk the confidentiality, integrity, and\n                      availability of the data stored, transmitted, and processed by ICE at\n                      CHFB.\n\n                      Physical Security Controls\n\n                      While ICE has implemented some physical security access\n                      controls, including the use of badges, card readers, and locked\n                      entrances, physical security controls could be strengthened at their\n                      CHFB locations. Specifically, ICE needs to limit access to IT\n                      assets in the ICE/USCIS shared server room at CHFB. Examples\n                      of situations that need attention follow:\n\n\n\n\n                      Figure 1 illustrates how ICE IT assets are located directly behind\n                      the printout table and accessible to staff who come to pick up\n                      printouts.\n\n\n\n\n                                        Figure 1: Computer Room Printout Desk\n\n\n\n      Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                          (Redacted)\n\n                                             Page 4\n\x0c                The examples mentioned above increase the risk of unauthorized\n                access to potentially sensitive information and accidental loss of\n                power or damage to IT resources at CHFB.\n\n                According to the DHS 4300A Handbook:\n\n                         To protect sensitive information and limit the damage that\n                         can result from accident, error, or unauthorized use, the\n                         principle of least privilege must be applied. The principle\n                         of least privilege requires that users be granted the most\n                         restrictive set of privileges (or lowest clearance) needed for\n                         performance of authorized tasks\xe2\x80\x94i.e., users should be able\n                         to access only the system resources needed to fulfill their\n                         job responsibilities.\n\n                Environmental Controls\n\n                ICE should maintain its environmental operational controls at\n                prescribed levels by adjusting the heating, ventilation, and air\n                conditioning (HVAC) temperature controls in the\n                telecommunications rooms, in accordance with agency guidance.\n\n                ICE\xe2\x80\x99s telecommunications equipment was also at risk of failure\n                because of the absence of temperature or humidity sensors in the\n                telecommunications closets. Specifically, eleven ICE\n                telecommunications rooms had temperatures that exceeded 70\n                degrees. We noted that only two of these rooms had any\n                temperature or humidity sensors.\n\n                According to the DHS 4300A Handbook:\n\n                         Temperatures in computer storage areas should be held\n                         between 60 and 70 degrees Fahrenheit.\n\n\n\n\nTechnical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                    (Redacted)\n\n                                       Page 5\n\x0c                Business Continuity\n\n                ICE\xe2\x80\x99s business continuity capability also needs to be improved at\n                CHFB. We identified several issues involving ICE IT resources in\n                room 2102, including\n\n\n\n\n                    \xe2\x80\xa2\t The ICE Public Address system rack could be better\n                       secured by bracing it to prevent damage during an\n                       earthquake.\n                    \xe2\x80\xa2\t One of the power distribution units is not connected to the\n                       emergency power-off switch.\n\n                Additionally, the need to connect all power distribution units to the\n                emergency cut-off switch is related to ICE\xe2\x80\x99s use of a water-based,\n                fire-suppression system. If all power distribution units are not\n                connected to the emergency shut-off switch, the IT resources that\n                are still receiving power when the sprinklers are activated are at\n                increased risk of short circuit during a fire. Further, ICE cannot\n                ensure that its IT resources will be available when needed without\n                backup generators.\n\n                According to the DHS 4300A Handbook:\n\n                         DHS must have the capability to ensure continuity of\n                         essential functions under all circumstances.\n\nRecommendations:\n                We recommend that the ICE Chief Information Officer (CIO) take\n                the following actions for ICE activities at CHFB\n\n                Recommendation #1: Implement stronger physical security and\n                environmental controls to protect ICE\xe2\x80\x99s IT assets from possible\n                loss, theft, destruction, accidental damage, hazardous conditions,\n                fire, malicious actions, and natural disasters.\n\n                Recommendation #2: Implement business continuity of\n                operations capability for ICE facilities at CHFB\n\n\n\n\nTechnical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                    (Redacted)\n\n                                       Page 6\n\x0c         Management Comments and OIG Analysis\n                           We obtained written comments on a draft of this report from the \n\n                           ICE Assistant Secretary. We have included a copy of the \n\n                           comments in their entirety at Appendix B. \n\n\n                           In the comments, ICE concurred with these recommendations. We\n\n                           agree that the recommendations are resolved and that planned \n\n                           actions are appropriate to address the issues. Recommendations 1 \n\n                           and 2 will be considered resolved but open pending completion \n\n                           and verification of all planned actions. \n\n\n         Systems Did Not Comply Fully With DHS Technical Control\n         Requirements\n\n                           ICE\xe2\x80\x99s implementation of technical controls at CHFB did not\n                           conform to DHS policies involving configuration management of\n                           operating systems and routers. These deficiencies increase the risk\n                           that ICE IT systems used at CHFB are vulnerable to internal\n                           attacks.\n\n                           Operating System Configuration Management\n\n                           Unsupported operating systems were running on ICE\xe2\x80\x99s servers at\n                           CHFB.\n\n\n                                                                               Operating\n                           systems that are not supported by their vendors may not receive\n                           updates, or \xe2\x80\x9cpatches,\xe2\x80\x9d when a vulnerability or exploitation has\n                           been identified.\n\n                           Our technical scans also identified ICE servers with known\n                           vulnerabilities. 1\n\n\n\n\n1\n   See Appendices C and D for inventories of ICE servers with known vulnerabilities. \n\n2\n  \xe2\x80\x9cCross-site scripting\xe2\x80\x9d is a technique by which a malicious web site operator may apply script, and execute \n\ncode, in another user\xe2\x80\x99s web session. \n\n3\n  An attacker is able to gain a list of user names, shares, and other potentially sensitive information by\n\ncreating a Null session. \n\n\n          Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                              (Redacted)\n\n                                                   Page 7\n\x0c                          According to DHS Directive 4300A:\n\n                                   Components shall manage systems to reduce vulnerabilities\n                                   through vulnerability testing, promptly installing patches,\n                                   and eliminating or disabling unnecessary services, if\n                                   possible.\n\n                                                               **********\n\n                                   DHS Components must have provisions for reacting\n                                   quickly as these critical patches are identified and released\n                                   by the DHS CSIRC.\n\n                          Router Configuration Management Controls\n\n\n\n\n                          According to DHS Directive 4300A:\n\n                                   Telnet shall not be used to connect to any DHS computer.\n                                   A connection protocol such as Secure Shell (SSH) that\n                                   employs secure authentication (two factor, encrypted, key\n                                   exchange, etc.) and is approved by the Component shall be\n                                   used instead.\n\n\n\n\n4\n According to the National Institute of Standards and Technology\xe2\x80\x99s Threat Assessment of Malicious Code\nand Human Threats (NISTIR 4939), \xe2\x80\x9cInsiders are legitimate users of a system. When they use that access\nto circumvent security, that is known as an insider attack.\xe2\x80\x9d\n\n          Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                              (Redacted)\n\n                                                 Page 8\n\x0c                Password Management Requirements\n\n                ICE password policies did not conform to DHS Directive 4300A or\n                were not consistently applied to all ICE\xe2\x80\x99s servers.\n\n                                                                                         .\n\n                According to the DHS 4300A Handbook:\n\n                         Passwords are important because they are often the first\n                         line of defense against hackers or insiders who may be\n                         trying to obtain unauthorized access to a computer system\n                         \xe2\x80\xa6Passwords shall be at least 8 characters in length [and]\n                         shall be changed or expire in 180 days or less.\n\n                Actions Taken\n\n                ICE took immediate actions to address some of the technical\n                control deficiencies. Specifically, ICE:\n\n                    \xe2\x80\xa2\t Reconfigured some of the servers from the Windows NT\n                       operating system to the Windows 2003 operating system\n                    \xe2\x80\xa2\t Reconfigured its servers from the Novell operating system\n                       to Windows 2003 operating system;\n\n                    \xe2\x80\xa2\n\n\n\n\nRecommendations:\n                We recommend that the ICE CIO take the following actions for\n                ICE activities at CHFB:\n\n                Recommendation #3: Develop a migration plan to transition\n                from unsupported operating systems to operating systems for\n                which DHS has a Secure Baseline Configuration Guide.\n\n\n\n\nTechnical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                    (Redacted)\n\n                                       Page 9\n\x0c                          Recommendation #4: Implement the password policy established\n                          by DHS Directive 4300A.\n\n                          Recommendation #5: Use a connection protocol that employs\n                          secure authentication.\n\n                          Recommendation #6: Eliminate or disable unnecessary services\n                          from its routers.\n\n                          Recommendation # 7: Develop a process for implementing\n                          identified patches in a timely fashion.\n\n        Management Comments and OIG Analysis\n                          In the comments, ICE concurred with these recommendations. We\n                          agree that the recommendations are resolved and that planned\n                          actions are appropriate to address the issues. Recommendations 3,\n                          4, 5, 6, and 7 will be considered resolved but open pending\n                          completion and verification of all planned actions.\n\n\n        Systems Did Not Comply Fully With DHS Management Control\n        Requirements\n                          ICE\xe2\x80\x99S implementation of management controls at CHFB did not\n                          conform to DHS policies. For example, ICE has not maintained\n                          accurate IT systems inventories. The lack of an accurate inventory\n                          of telecommunications lines places ICE at risk of unnecessary\n                          expenditures. Additionally, there are deficiencies in system\n                          accreditation, and incomplete privacy compliance activities. 5\n                          These management control deficiencies increase the risk to ICE IT\n                          investments, systems, and data from new threats and vulnerabilities\n                          for which safeguards have not been implemented.\n\n                          Management of Telecommunications Lines\n\n                          ICE did not have an accurate inventory of its telecommunications\n                          lines at CHFB. For example, ICE could save $17,412 annually by\n                          disconnecting a nonoperational telecommunications line.\n                          Specifically, ICE is paying a $1,451 monthly fee for a\n                          telecommunications line that has not been used since the\n\n\n5\n  The Privacy Act of 1974 ("Privacy Act"), 5 U.S.C. \xc2\xa7 552a, as amended, provides statutory privacy rights\nto U.S. citizens and Legal Permanent Residents.\n\n          Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                              (Redacted)\n\n                                                 Page 10\n\x0c                          implementation of the DHS OneNet. 6 After determining that this\n                          telecommunications line was not being used, we recommended\n                          that ICE disconnect the line immediately. 7\n\n                          We also identified 33 other active telecommunications lines whose\n                          ownership is unknown. If these lines are disconnected, it may\n                          result in a monthly cost savings of $160,220, or $1.9 million per\n                          year. See Figure 2 below for details.\n\n                    Range of Potential Monthly Saving For 33 Unused        $284,724\n                    Li                                            $268,983\n                 $300,00\n                                                                                  $240,867\n         Po(Si $250,00\n\n         te ng\n\n         ntile \n $200,00                                               $160,220\n         al Li\n $150,00\n         Sane \n                                     $98,340 $107,019\n                                         $73,722\n         vi X $100,00\n        $47,883\n         ng33\n\n                  $50,00        $1,451    $2,234     $2,980   $3,243    $4,855     $7,299    $8,151   $8,628\n\n                         $0\n                                 ICE       CBP        CIS      ICE     Average       ICE      CIS      CBP\n                                                                        Cost\n\n                                                   Monthly Charges Per Single\n\n\n                          Figure 2: \t       Range of Potential Monthly Savings for 33 Unused\n                                            Telecommunications Lines 8\n\n                          According to DHS 4300A Handbook, component CIOs are to:\n\n                                   Ensure that an accurate IT systems inventory is established\n                                   and maintained.\n\n\n\n\n6\n  The DHS OneNet was installed at the CHFB in February 2006 and activated in June 2006.\n7\n  According to the DHS Infrastructure Project Office, the components are responsible for disconnecting\ntelecommunications lines when the DHS OneNet is installed. Additionally, the DHS Infrastructure Project\nOffice was unable to provide us with documentation of actual cost-savings due to the disconnection of\ntelecommunications lines following the DHS OneNet implementation at any site.\n8\n  The average monthly fee for seven telecommunications lines at CHFB is $4,855. The estimated monthly\ncharges for the 33 unclaimed telecommunications lines, based on the average monthly fee, is $160,215\n(33 lines times an average cost of $4, 855 per line). Therefore the potential annual savings is\napproximately $1.9 million ($160,220 x 12 months)\n\n          Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                              (Redacted)\n\n                                                   Page 11\n\x0c                          Without an adequate inventory of telecommunications lines, ICE\n                          may not know who is accessing their IT resources. Additionally,\n                          ICE may be spending money for unnecessary resources\n\n                          System Accreditation Deficiencies\n\n                          ICE has not maintained an accurate inventory of the IT systems in\n                          use at CHFB. 9 Specifically, one of the three ICE systems (33%) in\n                          use at CHFB is not currently included in DHS\xe2\x80\x99 Trusted Agent\n                          FISMA (TA-FISMA) reporting tool. 10 At the start of our audit\n                          fieldwork, the ICE infrastructure at CHFB was included under the\n                          Administrative Center Laguna (ACL) entry in TA-FISMA.\n                          However, in July 2007, USCIS changed the name of the ACL\n                          system to the Western Region and made the system account\n                          unavailable to ICE.\n\n                          According to DHS 4300A Handbook, component CIOs are to:\n\n                                   Ensure that an accurate IT systems inventory is established\n                                   and maintained.\n\n\n\n\n                                                                                      Further,\n                          the authorization to operate for the ICE infrastructure at CHFB has\n                          expired.\n\n                          According to DHS 4300A Handbook:\n\n                                   For operational systems, the DAA makes a risk-based\n                                   decision either to grant full authorization to operate or\n                                   deny authorization to operate.\n\n                          Incomplete Privacy Compliance Activities\n\n                          ICE had not completed all privacy compliance activities for ICE\n                          systems in use at CHFB. Specifically, ICE has completed all\n                          required privacy compliance activities for only 1 of 3 (33%)\n                          systems in use at CHFB. 11 Further, the department has not\n\n9\n  See Appendix E, Certification and Accreditation Status, for the ICE systems that are in operation at \n\nCHFB. \n\n10\n   DHS uses an enterprise management tool, Trusted Agent FISMA, to collect and track data related to all \n\nPlans of Action and Milestones, including self-assessments, and certification and accreditation data. \n\n11\n   See Appendix F, Status of Privacy Compliance Activities for ICE Systems, for further information. \n\n\n          Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                              (Redacted)\n\n                                                 Page 12\n\x0c                validated the one Privacy Impact Assessment known to be\n                required.\n\nRecommendations:\n                We recommend that the ICE CIO take the following actions for\n                ICE activities at CHFB:\n\n                Recommendation # 8: Implement procedures to identify and\n                disconnect unused telecommunications line.\n\n                Recommendation # 9: Complete the activities required to\n                accredit and authorize IT systems that are in use at CHFB.\n\n                Recommendation # 10: Complete Privacy Impact Assessments\n                and publish updated System of Records Notices, as needed, for\n                systems in use at CHFB.\n\nManagement Comments and OIG Analysis\n                In the comments, ICE concurred with these recommendations. We\n                agree that the recommendations are resolved and that planned\n                actions are appropriate to address the issues. Recommendations 8,\n                9, and 10 will be considered resolved but open pending completion\n                and verification of all planned actions.\n\n\n\n\nTechnical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                    (Redacted)\n\n                                       Page 13\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                             This review is part of a program to evaluate, on an ongoing basis,\n                             the implementation of DHS technical and information security\n                             policies and procedures at DHS sites. The objective of this\n                             program is to determine the extent to which critical DHS sites\n                             comply with the department\xe2\x80\x99s technical and information security\n                             policies and procedures, according to DHS Sensitive Systems\n                             Policy Directive 4300A and its companion document, the DHS\n                             4300A Sensitive Systems Handbook.\n\n                             We coordinated the implementation of this technical security\n                             evaluation program with the DHS Chief Information Security\n                             Officer (CISO). We mutually agreed to the wording for the Rules\n                             of Engagement for the technical testing. 12 Our entrance and exit\n                             conferences were held with ICE officials at the Office of\n                             Information Technology (OIT) in Washington D.C. and by\n                             telephone with CHFB OIT officials.\n\n                             We performed technical evaluations only after the DHS CISO and\n                             ICE agreed to our negotiated Rules of Engagement. These\n                             technical evaluations included:\n\n                                 \xe2\x80\xa2\t Security scans of servers, routers, and switches using\n                                    various software packages, and\n                                 \xe2\x80\xa2\t Scans to determine whether wireless devices were being\n                                    used by DHS components.\n\n                             We reviewed applicable DHS and ICE policies, procedures, and\n                             ICE\xe2\x80\x99s responses to our site surveys and technical questionnaires\n                             Prior to performing our onsite review, we used ICE\xe2\x80\x99s responses to\n                             identify occupied space, server rooms, and telecommunications\n                             closets. Our onsite review included a physical review of ICE\n                             space, and interviews with ICE staff. Our technical review\n                             included onsite reviews of server security policies as well as scans\n                             for DHS wireless devices operating at CHFB. 13 Additionally, we\n                             reviewed guidance provided by DHS to the components in the\n                             areas of patch management, operation systems, and wireless\n                             security.\n\n                             We provided ICE with briefings concerning the results of\n                             fieldwork and the information summarized in this report. We\n                             conducted this review between February and July 2007.\n\n12\n     The Rules of Engagement established the boundaries and schedules for the technical evaluations\n13\n     We did not find any wireless devices being used by ICE at CHFB.\n\n             Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                                 (Redacted)\n\n                                                    Page 14\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\n                       We performed our work according to the Quality Standards for\n                       Inspection of the President\xe2\x80\x99s Council on Integrity and Efficiency,\n                       and pursuant to the Inspector General Act of 1978, as amended.\n\n                       We appreciate the efforts by DHS management and staff to provide\n                       the information and access necessary to accomplish this review.\n                       Our points of contact for this report are Frank Deffer, Assistant\n                       Inspector General for Information Technology, (202) 254-4100,\n                       and Roger Dressler, Director for Information Systems and\n                       Architectures, (202) 254-5441. Major OIG contributors to the\n                       review are identified in Appendix G.\n\n\n\n\n       Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                           (Redacted)\n\n                                              Page 15\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n       Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                           (Redacted)\n\n                                              Page 16\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n       Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                           (Redacted)\n\n                                              Page 17\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n       Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                           (Redacted)\n\n                                              Page 18\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n       Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                           (Redacted)\n\n                                              Page 19\n\x0cAppendix C\nICE Novell Servers with Known Vulnerabilities\n\n\n\n\n                           .\n\n\n\n\n       Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                           (Redacted)\n\n                                              Page 20\n\x0cAppendix D\nICE Windows Servers with Known Vulnerabilities\n\n\n\n\n       Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                           (Redacted)\n\n                                              Page 21\n\x0cAppendix D\nICE Windows Servers with Known Vulnerabilities\n\n\n\n\n       Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                           (Redacted)\n\n                                              Page 22\n\x0cAppendix E\nCertification and Accreditation Status\n\n\n\n\n                                                         Risk Assessment         Accreditation Status\n                                                              Status\n                                                             Expired                       ATO\n\n\n                                                           Completed                       ATO\n\n\n                                                           Completed                     Expired\n\n\n\n\n        Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                            (Redacted)\n\n                                               Page 23\n\x0cAppendix F\nStatus of Privacy Compliance Activities for ICE Systems\n\n\n\n\n                                        Privacy           Privacy         Has the Privacy    Has a\n                                       Threshold          Impact               Impact      System of\n                                        Analysis         Assessment         Assessment      Records\n                                         (PTA)             (PIA)            (PIA) Been       Notice\n                                                         Required?         Submitted to      Been\n                                                                              the DHS     Published?\n                                                                           Privacy Office\n                                                                          for Validation?\n                                      PTA                No PIA           NA              NA\n                                      Completed          required\n\n\n\n\n                                      PTA                PIA              No                     Justice/INS\n                                      completed          required                                -012 DACS\n                                                                                                 60-FR-\n                                                                                                 52690,\n                                                                                                 52698, as\n                                                                                                 modified by\n                                                                                                 subsequent\n                                                                                                 system of\n                                                                                                 records\n                                                                                                 notices.\n                                      PTA not            Unknown           NA                    DHS/OS1\n                                      submitted                                                  HSPD-12\n                                      to the DHS                                                 Office of\n                                      Privacy                                                    Security\n                                      Office for                                                 Files 71 FR\n                                      validation.                                                53700\n\n\n\n\n        Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                            (Redacted)\n\n                                               Page 24\n\x0cAppendix G\nMajor Contributors to This Report\n\n\n\n\n                       Roger Dressler, Director, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Kevin Burke, Audit Manager, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Beverly Dale, Senior Auditor, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Domingo Alvarez, Senior Auditor, Department of Homeland\n                       Security, Information Technology Audits\n\n                       Matthew Worner, Senior Program Analyst, Department of\n                       Homeland Security, Information Technology Audits\n\n                       Basil Marcus Badley, Senior Security Engineer, Department of\n                       Homeland Security, Information Technology Audits\n\n                       Syrita Morgan, Management and Program Assistant, Department\n                       of Homeland Security, Information Technology Audits\n\n                       Samer El-Hage, Management and Program Assistant, Department\n                       of Homeland Security, Information Technology Audits\n\n                       Steven Staats, Referencer Program Analyst, Department of\n                       Homeland Security, Information Technology Audits\n\n\n\n\n       Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                           (Redacted)\n\n                                              Page 25\n\x0cAppendix H\nReport Distribution\n\n\n\n\n      Department of Homeland Security\n\n      Secretary\n      Deputy Secretary\n      Chief of Staff\n      Deputy Chief of Staff\n      General Counsel\n      Executive Secretary\n      Under Secretary, Management\n      Assistant Secretary for Policy\n      Assistant Secretary for Public Affairs\n      Assistant Secretary for Legislative Affairs\n      Chief Information Officer (CIO)\n      Chief Privacy Officer\n      Deputy CIO\n      Chief Information Security Officer\n      Information Systems Security Manager, ICE\n      CISO, ICE\n      DHS Audit Liaison\n      ICE Audit Liaison\n\n      Office of Management and Budget\n\n      Chief, Homeland Security Branch\n      DHS Program Examiner\n\n      Congress\n\n      Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n        Technical Security Evaluation of ICE Activities at the Chet Holifield Federal Building\n                                            (Redacted)\n\n                                               Page 26\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'